Facebook case calls transatlantic data transfers into question

One of the last remaining ways by which U.S. companies can handle European citizens’ data from outside of the EU was thrown into further jeopardy Wednesday.

Ireland’s data privacy regulator revealed that it plans to ask Europe’s high court to review a certain kind of back-up contractual language that Facebook — along with thousands of other companies — uses to transfer EU citizens’ data from overseas.

The same court last year overturned a widely used “Safe Harbor” arrangement between the United States and the EU that allowed companies to “self-certify” that they met Europe’s privacy requirements, which are more stringent than those in the U.S.

Following that decision last fall, many companies that had previously relied on the agreement then turned to so-called “model clauses” — snippets of pre-approved legal language — to make their transatlantic data transfers legal.

{mosads}But if the court rules that model clauses are also invalid, companies will be left with few choices but to house data on local servers within the EU. 

The decision touches thousands of firms that do business across the Atlantic, from the hospitality industry to social media.

At issue is U.S. surveillance law, which privacy advocates in the EU say does not adequately protect Europeans’ right to privacy and redress — sacrosanct under the EU Charter.

For Max Schrems, the Austrian complainant in the case against Facebook over its use of model clauses, the existing system offers no better protection than the Safe Harbor agreement did.

“I see no way that the [European high court] can say that model contracts are valid if they killed Safe Harbor based on the existence of these U.S. surveillance laws,” Schrems said in a statement. “All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with.” 

Schrems also brought the original case against Facebook that resulted in the takedown of the old framework.

The U.S. Commerce Department and the European Commission are attempting to push through a replacement for Safe Harbor, but many of the same concerns that dogged the original arrangement have forestalled approval by Europe’s various data protection authorities. 

Critics have long warned that unless the U.S. overhauls its privacy and national security laws, there is no legal framework that can stand up in European courts.

In announcing the new deal, known as Privacy Shield, earlier this year, Commission officials insisted that the U.S. had provided “detailed written assurances” that surveillance of Europeans’ data by intelligence agencies would be subject to appropriate limitations. 

“The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans,” Andrus Ansip, vice president for the digital single market on the European Commission, said when the deal was announced.

The stakes are enormous should a new legal mechanism not be established. Businesses fear a chilling of transatlantic trade, valued at $1 trillion in 2014. 

The most likely outcome, experts say, would be a patchwork of country-to-country regulations that would make it extremely expensive for companies to comply.

Despite the risks, hard-line privacy advocates are not persuaded that the existing system goes far enough to protect EU citizens from U.S. surveillance. 

“As long as the U.S. does not substantially change its laws I don’t see now there could be a solution,” Schrems said Wednesday.